Your corporate and personal data in Microsoft 365 is exploding, and oversharing sensitive data happens on a daily basis. Your colleagues are using public generative A.I. apps in combination with your sensitive and stale data.
Microsoft 365 Copilot processes and shares this type of data with unauthorized people. Posing not only a data security risk but also negatively impacting overall Microsoft 365 Copilot adoption within your organization. These challenges seem difficult to overcome, there is hope on the horizon! Microsoft Purview is a great place to start. In the second part of this series, we focused on Data Loss Prevention, for this article, we're talking managing and monitoring your sensitive data with the help of retention labels.
One of the challenges in implementing retention labels is making a compelling business case for the stakeholders responsible for funding these types of projects. We have been in this situation before. That’s why we provide three business scenarios you can use to persuade your stakeholders.
Each country or industry is subject to specific archive and retention regulations, such as HIPAA, GDPR, or the Dutch Archive Law. Non-compliance with these regulations may lead to financial penalties, diminished customer trust, and possible bankruptcy.
Unnecessary data can occupy valuable storage in your Microsoft 365 tenant, especially in SharePoint Online. Customers who don't use retention labels often end up purchasing extra storage, particularly during migrations. Using retention labels helps remove redundant data and free up space.
Retention labels are not integrated with Microsoft 365 Copilot in the same way as sensitivity labels. Retention labels help ensure that responses use accurate and current data. This helps prevent outdated information from being processed, which can affect data accuracy and reliability.
These business scenarios show the power of retention labels in complying with archive and retention acts, reducing your Microsoft 365 storage and improving the quality of your Microsoft 365 Copilot results. This should provide you with enough ammunition to secure funding for your project.
We aren’t going to delve into the detailed configuration of retention labels here. However, we need to discuss the foundation of your retention labels: Data lifecycle policies and archive & retention acts. Each organization, regardless of its type or size, should have an overall data retention policy and comply to corresponding archive & retention acts covering these aspects. We provide our recommendations in the following paragraph.
The following figure shows data lifecycle in your Microsoft 365 environment:
Retention labels primarily address the deletion and archiving of data. For each category of sensitive data within an organization, it is necessary to clearly define the data lifecycle. Without this definition, implementing retention labels won’t be successful.
After you have identified the archive and retention act relevant to your organization, you will be able to reference a list of data types with their respective lifecycles. For instance, in the Netherlands, the Archive Law mandates the deletion of resumes from candidates who are not hired; these documents must be deleted after four weeks, though this period may be extended to one year with the candidate's consent. It is advisable to review your Microsoft 365 tenant, as it is highly likely, we speak from experience, that numerous candidate resumes are currently stored there.
In some cases, customers may not be ready to start a comprehensive project for retention labels linked to specific data. Instead, they prefer to begin with generic retention labels. The following table provides recommendations for retention label options suited to this approach.
| Name | Description |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Employees can manually assign these labels to their data. The specific names and descriptions of the labels can be determined according to what best fits your organization and data management needs. The next step is to focus on overall management and monitoring after retention labels are implemented in your Microsoft 365 tenant.
The following topics are essential for the effective management of your sensitivity labels:
A brief overview of these areas will be provided below.
Yes, you can manually assign retention labels to your data. The true power, and convenience for your employees, lies in the automation of assigning the correct retention label with its corresponding retention controls. This fantastic feature stands or falls with the definition of your sensitive data. For example,
The following four tips can assist in identifying sensitive information:
After defining the properties that will help you recognize your sensitive information, you can configure the auto label feature of the retention label:
We are selecting a “sensitive info types” but you can also use trainable classifiers.
We recommend running the simulation mode for your retention label policy, before you enable this in production. The results of the simulation can be found in the label policy menu and clicking on the corresponding policy. For example,
We advise reviewing a large sub-set of the samples, so you are confident the auto label policy assigns retention labels to the correct content. Are you happy with the results? Time to launch your policy!
The main challenge in adopting and training employees on retention labels is minimizing disruption to their daily work and with disposition reviews.
Generally, retention labels do not affect employees unless data is marked as a record using Record Management. The table below outlines how retention labels, with or without records, impact document actions.
Marking data as a record significantly affects the daily operations of your colleagues who work with retained data marked as a record.
A retention label can trigger a disposition review. When assigning colleagues as disposition reviewers, ensure they have the right role and understand how to use the review menu for data deletion.
For effective education, we recommend organizing training sessions, either online or on-site. Unfortunately, Microsoft does not offer a wealth of training materials on this topic.
After you deployed your retention labels, it is crucial to monitor the usage of your labels. You need to know if you are successful and where current gaps reside. Microsoft Purview provides the following monitoring features.
One of the challenges with Microsoft features and services is the absence of centralized reporting and dashboard. The main page of Data Lifecycle Management contains only one report:
After clicking on more details, the Content Explorer (classic) opens. This leads us directly to the Data Explorer. We realize this is a bit disappointing but you can use the Policy Lookup feature in the Record Management solution. For example
You can view any retention policies connected to a user, site or Microsoft 365 Group.
Data Explorer allows you to find and, depending on your permissions, to view data with a specific retention label. For example,
Be aware: The ability to use the Data Explorer must be approached with care and responsibility. Once permissions are granted, you can access all content, which may include highly sensitive information. Privacy must be respected at all times. The Data Explorer should be used only for specific purposes, such as investigating potential data leaks.
The following roles are crucial:
Unfortunately, even with the correct permissions, the source tab (to view the data) doesn’t always work. In case the Data explorer isn’t working for you, there is also the Content explorer. It provides similar features.
Activity explorer enables you to monitor what's being done with your labeled data by providing a historical view of activities on your labeled data. The information is gathered from the Microsoft 365 unified audit logs, transformed, and displayed in the user interface. Unfortunately, the data only goes back up to 30 days. To preserve a longer timeframe, you have to export audit logs and use these in a dedicated analytics tool. The retention label filter isn’t enabled by default. You need to select it manually, with the add filter button, and save your filter set so you can easily access it again the next time you open the Activity Explorer.
While Microsoft Purview is a great place to start your data governance journey, managing and protecting the content inside documents, messages, and records, it is unable to provide holistic platform or service governance across all Microsoft technologies.
This is where Rencore Governance adds an essential layer of service governance on top of Microsoft Purview. While Purview focuses on data classification and protection, Rencore Governance helps you systematically manage structural sprawl across thousands of Teams, SharePoint sites, and Power Platform assets, clarify ownership, and identify outdated or unused resources.
It also enables you to detect and control permission creep by monitoring oversharing with guests and external users, and to govern the growth of Copilot Studio and SharePoint AI agents through improved visibility and lifecycle controls. Together, these capabilities address risks that lie beyond Purview’s scope but have a direct impact on security, cost efficiency, user experience, and your overall AI readiness.
By bridging the gap between data governance and service governance, Rencore ensures that your Microsoft 365 environment is not only compliant but also clean, secure, and optimized for future innovation.